430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L. Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises. The identified vulnerability […]

TP-Link

Resecurity researchers found a zero-day vulnerability in the TP-Link enterprise device with model number TL-XVR1800L.

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises.

The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and then use it for malicious purposes, as well as to steal sensitive data too. It’s likely this vulnerability is present in other devices from the same family.

The affected device is orientated towards the enterprise segment and supports Wi-Fi 6 (the next-generation wireless standard which is faster than 802.11ac). Wi-Fi 6 officially arrived in late 2019, and Wi-Fi 6 enabled hardware was released throughout 2020. The main goal of this new standard is enhancing throughput-per-area in high-density scenarios, such as corporate offices, shopping malls and dense residential apartments.

Resecurity notified TP-Link on November 19th 2021, and received acknowledgment the very next day. TP-Link said they’re going to release a patch in a week (currently the 0-day vulnerability is in the wild). Resecurity shared Proof-of-Concept with TP-Link of how Remote Code Execution was achieved on the target device, along with multiple other vulnerabilities.

TP-Link

Below is the video PoC of the zero-day exploitation:

https://vimeo.com/650355530

According to Resecurity, the vulnerability was identified by the cause of abnormal traffic monitoring which consisted of a network of “honeypot” sensors to emulate common IoT devices developed by Resecurity are to hunt for malice on the internet.

Ongoing attacks were discovered by Resecurity’s researchers while monitoring the activity of a threat actor know for targeting networks and IoT devices since early October 2021.

Notably, the productized version of 0-day exploit was initially spotted by Resecurity’s HUNTER unit “in the wild” known as “TP-Linker”, the tool available for sale in the Chinese-speaking segment of the Dark Web.

Based on additional context – the actors are attacking insecure IoT devices and are involved in large-scale traffic manipulation including online-banking theft activity.

It’s not the 1st time TP-Link has faced critical vulnerabilities in their product line up, such bugs are widely leveraged by threat actors building IoT-based botnets like Mirai for further DDoS attacks and other malicious activities.

Insecurity of IoT devices remains a challenging cybersecurity issue and creates a vast flaw in the external network perimeter of companies which allows attackers to penetrate and steal sensitive data too.

Last year researchers found thousands of vulnerable TP-Link routers which took more than a year for the company to publish patches on their website. This year, cybersecurity researchers from the Flashback Team found and exploited critical vulnerabilities in another device by TP-Link Archer AC1750 at Pwn2Own Tokyo

Follow me on Twitter: @securityaffairs and Facebook

About the author: Resecurity Chief Executive Officer Gene Yoo

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]